Teleport Integrates Sigstore: Strengthening Software Supply Chain

Read full article here: https://goteleport.com/blog/workload-identity-meets-supply-chain-security/?source=nhimg

Today’s software development is fast, complex, and increasingly reliant on third-party code, AI agents, and automated CI/CD pipelines. That speed comes with risk — and we’ve seen the consequences. Just think SUNBURST: a build-time backdoor in SolarWinds that compromised thousands of organizations globally.

Teleport’s new integration with Sigstore directly addresses this threat by bringing cryptographically verifiable workload identity into the software supply chain. The goal? Only trusted, signed code gets access to your infrastructure.

What is Sigstore and Why Does it Matter?

Sigstore is an open-source toolchain for signing and verifying software artifacts — from container images to build attestations. What makes it unique?

• No long-lived keys: It uses ephemeral certificates tied to identity (via OIDC)

• Transparency logs: Public audit trail of signatures

• Zero trust for software: Trust only signed and verified code

Sigstore removes the pain of managing static signing keys — a major win for dev and security teams alike.

What Does This Have to Do with Workload Identity?

Teleport Machine & Workload Identity already lets services authenticate using short-lived SPIFFE-compliant certificates, replacing risky static credentials (like hardcoded tokens or API keys).

With the Sigstore integration, those certificates can now factor in supply chain context, such as:

• Was this container image signed in CI?

• Did it pass a vulnerability scan?

• Was it built from trusted source code?

Key Benefits of the Sigstore Integration:

• Enforce access control based on signed container images

• Block unknown or unverified software from accessing sensitive systems

• Tie workload identity to your CI/CD process

• Reduce your exposure to build-time supply chain attacks

• Eliminate reliance on static secrets and passwords